iptables (and/or the successor tool nftables) is the user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, which is implemented as different Netfilter modules. (summary from Wikipedia)

Since iptables and nftables are a user-space utility programs intended to be used by people, by system administrators, and people are not always completely comfortable with the underlying numbers, they accept human readable descriptions for IP-protocols (tcp, icmp, udp etc), IP-addresses (hostnames), and port numbers (service-names).

From a UI aspect using human readable names appears to be a good thing:

• as an administrator I'm probably not the only one that has a much better intuitive grasp of the meaning of:
  iptables --protocol udp
  compared to: iptables --protocol 17 and similar.
• a hostname gateway.example.net often makes more sense than an IP-address such as 192.0.2.1
• and on a web server allowing HTTP and HTTPS is more obvious than allowing TCP/80 resp. TCP/443.

Is that safe to do?

Or should you stay away from that?

What are the caveats?

Every now and then I get the odd request to provide remote support, troubleshooting and/or performance tuning on Linux systems.

Larger companies often already have well established procedures to provide remote access to vendors/suppliers and I only need to comply to those. (For better or for worse.)

On the other hand small companies and individuals invariably turn to me to instruct them with what they need to do to set up me up. Typically their servers are directly connected to the internet and the existing security measures consist of the defaults for whatever their Linux distribution is.

Nearly always I'll need root level access and whoever will be setting up access for me is not an expert sysadmin. I don't want their root password and I'm also pretty sure my actions won't be malicious, but what reasonably simple instructions should I give to:

• set up an account and securely exchange credentials
• set up root (sudo) access
• restrict access to my account
• provide audit trail

(And yes I'm aware and always warn those clients that once I do have admin access hiding any malicious actions is trivial, but let's assume that I have nothing to hide and actively participate in creating an audit trail.)

What can be improved on the steps below?

My current instruction set:

set up an account and securely exchange credentials

I provide a password hash and ask that my account is set up with that encrypted password, so we won't need to transmit a clear text password, I'l be the only one that knows the password and we don't start off with a predictable weak password.

sudo useradd -p '$1$********' hbruijn

I provide a public key SSH (specific key-pair per client) and ask they set up my account with that key:

sudo su - hbruijn
mkdir -p ~/.ssh
chmod 0700 ~/.ssh
echo 'from="10.80.0.0/14,192.168.1.2" ssh-rsa AAAAB3NzaC1y***...***== hbruijn@serverfault' >> ~/.ssh/authorized_keys
chmod 0600 ~/.ssh/authorized_keys 

set up root (sudo) access

I ask the client to set up sudo for me with sudo sudoedit or by using their favourite editor and append to /etc/sudoers:

hbruijn ALL=(ALL) ALL

restrict access to my account

Typically the client still allows password based logins and I ask them to add the following two lines to /etc/ssh/sshd_config to at least restrict my account to SSH keys only:

Match user hbruijn
PasswordAuthentication no

Depending on the client I'll route all my SSH access through a single bastion host to always provide a single static IP-address (for instance 192.168.1.2) and/or provide the IP-address range my ISP uses (for instance 10.80.0.0/14). The client may need to add those to a firewall whitelist if SSH access is restricted (more often than not ssh is unfiltered though).

You already saw those ip-addresses as the from= restriction in the ~.ssh/authorized_keys file that limits the hosts from which my key can be used to access their systems.

provide audit trail

Until now no client has asked me for that, and I have not done anything specific beyond the following to cover my ass:

I try to consistently use sudo with individual commands and try to prevent using sudo -i or sudo su -. I try not to use sudo vim /path/to/file but use sudoedit instead.

By default all the privileged actions will then be logged to syslog (and /var/log/secure):

Sep 26 11:00:03 hostname sudo:  hbruijn : TTY=pts/0 ; PWD=/home/hbruijn ; USER=jboss ; COMMAND=sudoedit /usr/share/jbossas/domain/configuration/domain.xml  
Sep 26 11:00:34 hostname sudo:  hbruijn : TTY=pts/0 ; PWD=/home/hbruijn ; USER=root ; COMMAND=/usr/bin/tail -n 5 /var/log/messages

I have mostly gives up on customising my work environments, the only thing I really do is set the following in my ~/.bash_profile increasing the bash history and to include time-stamps:

export HISTSIZE=99999999999
export HISTFILESIZE=99999999999
export HISTIGNORE="w:ls:ls -lart:dmesg:history:fg"
export HISTTIMEFORMAT='%F %H:%M:%S  '
shopt -s histappend

This is a proposed Canonical Question about understanding and debugging the software firewall on Linux systems.

In response to EEAA's answer and @Shog's comment that we need a suitable canonical Q&A for closing common relatively simple questions about iptables.

What is a structured method to debug problems with the Linux software firewall, the netfilter packet filtering framework, commonly referred to by the userland interface iptables?

What are common pitfalls, recurring questions and simple or slightly more obscure things to check that an occasional firewall administrator might overlook or otherwise benefit from knowing?

Even when you use tooling such as UFW, FirewallD (aka firewall-cmd), Shorewall or similar you might benefit from looking under the hood without the abstraction layer those tools offer.

This question is not intended as a How-To for building firewalls: check the product documentation for that and for instance contribute recipes to iptables Trips & Tricks or search the tagged iptables ufw firewalld firewall-cmd questions for existing frequent and well regarded high-scoring Q&A's.